IT chiefs warned over patching priorities

28 Feb 2012

IT managers who spend their time patching their Microsoft applications to avoid leaving vulnerabilities for cyber criminals to exploit may be focusing on the wrong target, a recent report has suggested.

Almost four out of five flaws affecting PCs discovered over the past five years were found in third-party programmes not developed by Microsoft.

According to the Secunia Yearly Report 2011, the commonly held belief that exploits are mostly available for popular programmes, such as Microsoft tools, is incorrect. “In fact, there can be a significant gap between what an organisation patches vs what a cyber criminal has the opportunity to, or chooses to attack,” the document states.

“The incorrect perception that Microsoft programmes still represent the primary attack vector, means that defences based on this false assumption are as effective as locking the front door to your home while the back door remains wide open.”

“Taking the approach of only securing the operating system and Microsoft programmes leaves the end point at considerable risk. However, the power to protect end points is in the hands of all users, as 72pc of the vulnerabilities had a patch available on the day of vulnerability disclosure,” the report said.

The problem is exacerbated by it being more difficult to patch third-party software than Microsoft apps, Secunia added.

This runs counter to the idea that zero-day threats are the most pressing risks, and Secunia said most attacks exploit known flaws rather than newly discovered ones.

“The shifting dynamics of the threat landscape means that knowing what to patch – what programmes cyber criminals are setting their sights on – and when, is just as critical.”

Secunia warned that focusing on patching a limited and static set of programmes considered business critical fails to reduce the true risks because the threat environment changes so rapidly. It recommends instead a more agile approach based on identifying what programmes they have and correlating this information with up-to-date data about vulnerabilities, allied to processes that enable them to deploy critical patches in a timely way.

Gordon Smith was a contributor to Silicon Republic